|
PHP - Recommended Session Length?
For PHP 7.4, what is the recommended session length that I should be using to have the best security? In DEV< in my php.ini file, session.sid_length = 26 According to the comments above that, it sounds like you can go up to 256. Is it fair to assume that larger is more secure? Also, if I set it to a larger size like 256, is tehre any risk of breaking things on my (VPS) web server running WHM/cPanel? Similar TutorialsHello everyone, I've searched these forums for a while now trying to resolve a problem that I have with my sessions timing out before I would like them to, but I've only gotten confused about it. I've read about changing some settings or adding code in my php.ini file but I have no idea what I'm doing when it comes to that. I'm starting the session simply by having session_start(); at the top of each of my pages. I'm including a copy of my entire php.ini file here so that you can see what I have already. Can someone please help me to figure out what I would need to do to make my sessions last at least 8 hours? Thanks in advance. Here's my php.ini file: Code: [Select] register_globals = off allow_url_fopen = off expose_php = Off max_input_time = 60 variables_order = "EGPCS" extension_dir = ./ upload_tmp_dir = /tmp precision = 12 SMTP = relay-hosting.secureserver.net url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=,fieldset=" ; Only uncomment zend optimizer lines if your application requires Zend Optimizer support ;[Zend] ;zend_optimizer.optimization_level=15 ;zend_extension_manager.optimizer=/usr/local/Zend/lib/Optimizer-3.3.3 ;zend_extension_manager.optimizer_ts=/usr/local/Zend/lib/Optimizer_TS-3.3.3 ;zend_extension=/usr/local/Zend/lib/Optimizer-3.3.3/ZendExtensionManager.so ;zend_extension_ts=/usr/local/Zend/lib/Optimizer_TS-3.3.3/ZendExtensionManager_TS.so ; -- Be very careful to not to disable a function which might be needed! ; -- Uncomment the following lines to increase the security of your PHP site. ;disable_functions = "highlight_file,ini_alter,ini_restore,openlog,passthru, ; phpinfo, exec, system, dl, fsockopen, set_time_limit, ; popen, proc_open, proc_nice,shell_exec,show_source,symlink" When a user logs on, I authenticate them with a session. How do I use php to determine the time until the session will expire? I realize I could go into the ini file but is there a php code that can query this info and echo it back? Hi all, Yesterday I moved a web application from a normal cookie session to a use_trans_sid session because some users' browser didn't accept cookies. This works great, but the session used to last for 45 minutes (set with session.gc_maxlifetime), but after the change the session times out faster. (How) can I set the session length if I use use_trans_sid? Thanks, Base PS: PHP version 5.2.13-1 Per line 79 of the latest php.ini file (http://git.php.net/?...duction;hb=HEAD), the production php.ini file is recommended for both production and development. Agree?
I would like to know the “typical” recommended changes to this file for both production and development. My requirements should be assumed typical with the following qualifications:
Installed using yum on Centos
Apache/2.2.15
MySQL (PDO)
Either a physical machine or VPS (not a shared host)
Primary US market
Hopefully, this provides enough description, and if you still feel it totally depends on each individual’s unique needs, please let that remain unsaid.
Below is my initial assessment:
Line 445: Change error_reporting to E_ALL for development only.
Line 462: Change display_error to On for development only.
Line 473: Change display_startup_error to On for development only.
Line 568: Leave error_log blank so they go to the SAPI Error Logger (what does this mean?)
Line 656: Change post_max_size if specifically needed for the application. Ideally, this would be changes in a particular script, however, I don’t think this is possible.
Line 676: Should default_charset remain at “UTF-8”?
Line 799: Change upload_max_filesize if specifically needed for the application. Ideally, this would be changes in a particular script, however, I don’t think this is possible.
Any other recommended changes?
Thank you
Hey, I have always wondered if there is a correct way of displaying variables inside html. Typically I would echo each variable inside php tags when displaying outside of a loop but what would you recommend for a while loop while more than say 5 variables to display? Code: [Select] echo "<tr><td>".$var1."</td></tr>"; OR Code: [Select] <tr><td><?php echo $var1; ?></td></tr> I look at my phpinfo() output, and it has ISO-8859-1 and ISO-8859-15 all over it. UTF is not listed once.
Furthermore, mb_internal_encoding() displays it as ISO-8859-1.
For the most part, I stick to the default settings unless I have a specific reason to change.
Should I be changing php.ini to use UTF-8? If so, any specific advice how to do so? This whole encoding issue has been causing me major grief today
I typically structure my applications something like the following. I lump general functionality into a given component. For instance, I might have com_users component which deals with user administration, and implements the ability to view a list of users, view a given user, delete a user, edit a user, etc. This structure was borrowed long ago from my learning PHP Joomla days which I no longer use. index.php figures out which component is being accessed, evokes the controller which gets data from the model and sends the data to the view. The view defined in each component only deals with the central content, and mainTemplate.php deals with the peripheral. First question. Is there anything inherently wrong with this approach? Second question. I am looking to start using Twig. Would this same structure work? I would replace /var/www/html/lib/templates/mainTemplate.php with a Twig file, and replace var/www/components/component1/views/view-1-1.php, etc with Twig files which extends the main Twig template. /var/www/components/component1/controllers/controller-1-1.php /var/www/components/component1/controllers/controller-1-2.php /var/www/components/component1/models/model-1-1.php /var/www/components/component1/views/view-1-1.php /var/www/components/component2/etc/etc /var/www/html/lib/templates/mainTemplate.php /var/www/html/lib/templates/mainCSS.css /var/www/html/lib/js/someJSforAllComponents.js /var/www/html/lib/components/component1/js/someJSForComponent1.js /var/www/html/index.php I know the default length of a tiny int is less than an int, but if I put in the same length for both, are they essentially the same type? http://php.net/manua...ssword-hash.php shows a simple example to hash a password using BCRYPT. I've read different posts recommending CHAR(60), BINARY(60), BINARY, and even BINARY(40).
What are the pros and cons of using one datatype over another?
<?php
/**
* In this case, we want to increase the default cost for BCRYPT to 12.
* Note that we also switched to BCRYPT, which will always be 60 characters.
*/
$options = [
'cost' => 12,
];
echo password_hash("rasmuslerdorf", PASSWORD_BCRYPT, $options)."\n";
?>
This topic has been moved to Miscellaneous. http://www.phpfreaks.com/forums/index.php?topic=326872.0 Hey PHPFreaks! I'm designing an online application using OOP. This is by no means my first application, but it is using Object Oriented techniques, so I come to you helpful folks with a question.Essentially, I would like to be able to find out about recommended ways to approach page templates in a class design, as well as other general good class design practices specific to server-side languages. So, without further ado, what is considered a good/recommended method of approaching template design using OOP? For example, a base template class which can be extended for multiple themes, so additional themes don't have to recreate the core functionality if they decide not to change it. It seems that there are a lot of methods to approach it, which is why I'm here! Any help you can provide would be greatly appreciated! I am having trouble resolving an error. Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/s519970/public_html/header.php:27) in /home/s519970/public_html/admin/login.php on line 2 What I can gather is I can't use "header (Location: 'admin.php')" after i've used session_start(). I have tried to replace the header (Location: 'admin.php') with this: echo "<script>document.location.href='admin.php'</script>"; echo "<script>'Content-type: application/octet-stream'</script>"; I've been trying to read up on solutions but haven't been able to get it sorted. If anyone can offer some advice that would be greatly appreciated as im new to php. Code: [Select] <?php session_start(); if(isset($_SESSION['user'])) echo "<script>document.location.href='admin.php'</script>"; echo "<script>'Content-type: application/octet-stream'</script>"; ?> <div id="loginform"> <form action="dologin.php" method="post"> <table> <tr> <td><span>Username:</span></td> <td><input type="text" name="username" /></td> </tr> <tr> <td><span>Password:</span></td> <td><input type="password" name="password" /></td> </tr> <tr> <td colspan="2" align="right"><input type="submit" name="login" value="Login" /></td> </tr> </table> </form> </div> I have tried using require_once('yourpage.php'); before my <head></head> tags in the header document where I've specified the html information but this doesn't seem to work. I've been advised to use ob_start("ob_gzhandler"); but I am not sure how to implement this. Any advice is greatly appreciated! I am trying to create an index page which contains registration and login field the problem that i get is on successful login a warning is displayed session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at C:\xampp\htdocs\Eventz.com\index.php:116) in C:\xampp\htdocs\Eventz.com\index.php on line 235 This is the login part of my index.php this tag is inside an html table below the login form I also have a registration form and its php code above the login form Code: [Select] <?php if (isset($_REQUEST['pass'])) { $id=$_POST['id']; $pass=$_POST['pass']; $conn =mysql_connect("localhost","root",""); if (!$conn) { die('Could not connect: ' . mysql_error()); } /* checking connection....success! */ $e=mysql_select_db('test', $conn); if(!$e) { die(''.mysql_error()); } else { echo 'database selected successfully'; } if (isset($_REQUEST['id']) || (isset($_REQUEST['pass']))) { if($_REQUEST['id'] == "" || $_REQUEST['pass']=="") { echo "login fields cannot be empty"; } else { $sql=mysql_query("Select email,password from login where email='$id' AND password='$pass'"); $count=mysql_num_rows($sql); if($count==1) /* $count checks if username and password are in same row */ { session_start(); $_SESSION['id']=$id; echo "</br>Login Successful</br>"; } else { echo "</br>invalid</br>"; echo "please try to login again</br>"; } } } } ?> Any help or suggestion would be appreciated in this page http://maximaart.com/newscp/ i have this problem Code: [Select] Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /home/maximasy/public_html/newscp/index.php:1) in /home/maximasy/public_html/newscp/index.php on line 2 my source code is <?php session_start(); include_once("config.php"); include_once("functions.php"); $errorMessage = ''; if (isset($_POST['txtUserId']) && isset($_POST['txtPassword'])) { if ($_POST['txtUserId'] === "$user" && $_POST['txtPassword'] === "$pass") { // the user id and password match, $_SESSION['basic_is_logged_in'] = true; require("main.php"); exit;?> hi everyone. i'm wondering what the best way is to create a session variable and pass it to an iframe. i need to do something along these lines, but it doesn't seem to pass the ID. Any hints on how i should accomplish this? Code: [Select] session_start(); $_SESSION['ID']=$_GET['ID']; // id from previous page $ID=session_id(); <iframe src="iframepage.php?ID=<?php echo $ID; ?>" style="width:680px; height:200px;" noresize="noresize" frameborder="0" border="0" scrolling="Yes" allowtransparency="true" /> </iframe> I'm making a simple login system with MySQL and PHP (very simple, I'm just starting with PHP). The MySQL portion is done, but I need to ensure only people who are logged in can see certain content. To check if people are logged in, my website checks that they have the $_SESSION['user'] variable set. If it is set, then it lets them continue through the website, if not, it tells them to login. Is that enough security, or can people simply inject a session cookie into their browser to spoof that they are logged in? My idea was to generate a session key cookie when they login (just a random string of letters and numbers) and store that in the database, then on every page, check to make sure their session key is the same thing that's in the database. Is this necessary? It seems expensive. Is 40 characters long enough for an E-mail field? Debbie I've got an enormous page for a pretty complex process. I just posted some changes, and it stopped functioning. Through multiple tests, I determined there was no problem with the code; it was just becomes too large at a certain point. I've read about changing settings in the php.ini file, but I'm not exactly sure what to change or what to bump it up to to allow for this huge page. Here are some current settings that I'm guessing control this problem: Code: [Select] max_execution_time = 30 ; Maximum execution time of each script, in seconds max_input_time = 60 ; Maximum amount of time each script may spend parsing request data memory_limit = 8M ; Maximum amount of memory a script may consume (8MB) ; Maximum size of POST data that PHP will accept. post_max_size = 8M ; Maximum allowed size for uploaded files. upload_max_filesize = 2M Does anyone have any insight into what to change or what settings might allow for a larger page? Not sure which one of these settings controls my problem. Thanks, as always, for any help. Howdy, I have a page on my site that displays events I have uploaded. Below is the code that displays the event title. I want to know if there is a simple way to limit the characters of the title that a view will see. For example, limiting the title to 10 characters. So, if I had an event titled "My awesome new event". You would see "My awesome..." Hope this makes sense. I'm not sure if you will need to see more of the code to help me, thank you! <a href ="event-description.php?eid=<?php echo $data->EventId?>"<span class="events-title"><?php echo $data->EventTitle ?> Hi all,
The output of the following line of code where user is Jack1234
$user = filter_input(INPUT_POST, 'user', FILTER_SANITIZE_STRING);using var_dump is string 'Jack1234' (length=8)I would like to know if there is someway we can use/retrieve the length value of the string that is displayed in the output or verify the string length against it. Thanks. |
|||||||